Peace Games – BlueHat Prize Update and Countdown

Rank: Senior Security Strategist Lead, Head of Microsoft’s Security Community and Strategy Team

Likes: Cool vulns, BlueHat, soldering irons, quantum teleportation

Dislikes: Rudeness, socks-n-sandals, licorice

In the film WarGames, an artificial intelligence program named Joshua asked the main character, a teenage hacker, the now famous question, “Shall we play a game?” When Microsoft announced the BlueHat Prize at the Black Hat Briefings in Las Vegas last summer, we asked a different question of the security researchers of the world, focused on defense.

Microsoft is offering over $250,000 in cash and prizes to security researchers who submit the best new security defense technology that meets the contest criteria. The top prize is $200,000 in cash, and the “mad loot” still could be yours!

With just under a week left in the entry period for the contest, which closes April 1, security researchers still have time to enter the competition to win the first and largest prize a vendor has offered for security defense research.

The ability to defeat the latest exploit mitigation technologies on various platforms is an extremely rare skill, as we have seen with several existing competitions that focus on vulnerability exploitation. Taking that knowledge to the level of helping to design new or enhanced mitigation technologies to help defend against exploit techniques like heapspray or Return Oriented Programming (ROP) was a challenge that we were hoping would garner at least as much interest.

The BlueHat Prize contest has exceeded our expectations for participation. So far we’ve had ten entries to the competition, the last four of which arrived over the past couple of weeks – an impressive showing, considering the difficulty of the problem we posed and the very small estimated number of individuals worldwide who possess the knowledge and expertise to seriously compete.

The entries cover a wide variety of ideas designed to help defend against different exploitation techniques, and it’s been great to see fresh insight into these technical areas. We’ve also been excited to see who the contestants are who have chosen to compete for the prize – some of them are security researchers with great track records in the security community, some are from academia, and some are from other venues altogether.

For those beautiful minds who have yet to enter their ideas for the contest, here are some highlights from the official rules:

– Complete entries must be received by midnight Pacific Time April 1, 2012.

– Complete entries must include a verbal description of the idea in English, as well as prototype code to show the exploit mitigation idea in action.

– For an entry to be valid, one of the criteria is that it should not be public at the time of entry (i.e., it must be new). However, a valid entry can be a new improvement on existing exploit mitigation techniques.

– If you have more questions, see the FAQ on the BlueHat Prize website or, if you don’t see your question answered there, contact the BlueHat Prize team.

With over $250,000 in cash and prizes on the line, we are excited that the first BlueHat Prize contest has already garnered great participation. One of my favorite quotes is from the great hockey player Wayne Gretzky, and it applies here for sure: “You miss 100% of the shots you don’t take.”